Go to the profile of Hussein Badakhchani
Hussein Badakhchani
Global analyst in science, technology, economics, politics and ethics; Views are my own or appropriated from the informed. Expect a measured response.

Applying KnowIT: Everything as a Service, SDLC & DevOps

In my last post on Everything as a Service (Software Defined Everything, Everything as a Service and the Market) I applied the KnowIT principles (NoDev, NoOps and NoIT ) to inform the decisions that we take to realise the outcomes we desire in order to meet and exceed the expectations of our stakeholders when considering the ‘why’, ‘what’ and ‘how’ of delivering Everything as a Service (XaaS).

In this post I’m going to attempt to demonstrate how the convergence of DevOps culture and tooling with Software Development Life Cycle (SDLC) expressed via Platform as a Service (PaaS) can deliver the enterprise from the subjugation, bureaucracy and downright misallocation of resources of regulated and compliant Enterprise SDLCs. Further more, I will illuminate how the Java infrastructure that underpins almost all the tooling for the DevOps circuitry of Enterprise SDLC can leverage the Waratek’s AppSecurity for Java to enable state of the art Runtime Application Self Protection, Virtual Patching, and Zero Day Attack Mitigation from the genesis of code to its realisation in production.

Begin At The Beginning

For the purpose of this discussion I consider software, systems and service development life cycle as broadly being the same thing, a series of steps that provide a model for the development and management of the software, system or service. Any entity engaged in the creation of these S’s will have an SDLC, no matter how informal it may be.

The necessity for formalising the SDLC into a process that is regulated, secure and compliant is a function of the size and nature of the business; where it operates (jurisdictional boundaries: local, national, regional and global) and the awareness which the business has of the total cost of developing and maintaining its software, systems and or services. A detailed discussion of SDLC is beyond the scope of this post, suffice to say a global enterprise probably maintains more than one SDLC and has a menagerie of different applications (code and binary repositories, continuous build, test and delivery tools, etc) often duplicating functions and their decencies, to implement their SDLC processes.

If this situation isn’t complex enough, throw into the mix, the traditional silos and dependencies inflicted by outmoded organisational models. For example the separation of development, testing, release management, operations and unsurprisingly you have a situation where release cycles take months.

Your best development talent leaves to join startups out of frustration and what you have left is a potent mix of individuals that either know how subvert the rules or worse still actively engage in their creation. These individuals make no useful contribution and simply engage in fighting a loosing battle with entropy using change requests and approval gates.

This picture may be overly bleak and somewhat exaggerated but I’m sure its a familiar picture to most of my readers. I think Adam Curtis’s documentary series Pandora’s Boxcaptures the essence of the absurdity that can arise from the implementation of what seems to be a rational plan to manage complexity.

Ultimately the unintended consequence of Enterprise SDLC is to impede the progress of code into production and with it, value generation for the business and the sense of satisfaction of those creative individuals involved in producing software, systems or services.

Enter DevOps

DevOps as a culture, practice and tool set is penetrating the enterprise today because it has delivered results which are unambiguously superior to traditionally silo organised IT with all its built in cultural in and out groups, bizarre RACI that makes operations staff accountable for applications and which lets the developers off the hook as soon as the code is in production. Early and stunning success has left the business craving more DevOps from IT and the market has responded to the demand in what I believe is an excellent expression of innovation. In little more than a decade (we were doing DevOps before it was called DevOps) the culture, technology and the market have driven DevOps awareness, if not quite full implementation, into every sector that produces IT.

However if we step back and look at the scale of Enterprise SDLC we can see how DevOps, on its own, will not fully meet the high expectations it has raised for the enterprise. The diagram below depicts a classic Enterprise SDLC. While DevOps permeates many aspects of SDLC clearly there are gaps, most significantly in the provisioning and maintenance of the infrastructure underpinning Enterprise IT.

Everything as a Service

The demand delivery service classes that constitute XaaS: IaaS, SaaS, PaaS etc are of fundamental importance in realising the full benefits of DevOps and among these service classes PaaS is the obvious delivery vehicle for enterprises that must maintain on-premise infrastructure while aspiring to greater cloud adoption.

In my previous post: Resurgence of Platform as a Service I outline the benefits of PaaS for the enterprise and given the diagram above anyone that has taken the time to evaluate PaaS technologies on the market can’t fail to notice that the more mature products from vendors, with experience of enterprise clients, maintain within their product portfolios all the technical building blocks demanded by Enterprise SDLC.

What distinguishes one PaaS from another, at least from the perspective of SDLC is the degree of automation, simplicity and flexibility to they afford for transforming existing products and processes to those that are required to deliver the goal of rapid and secure deployment into production from source.

Selecting the right PaaS for your enterprise is not a trivial matter if your goal is the transformation of IT from a complex behemoth bemoaned by the business and the butt of slurs from your developer community into an organisation that truly generates value for customers, shareholders, employees and other stakeholders.

The technology selection is the first domino to fall in the transformation journey, the first micro transformation, if it doesn’t fall, or falls in the wrong direction, the consequences will be, as we like to say where I work, career limiting.

Security in the DNA of the XaaS, SDLC and DevOps

As someone who has been coding Java on and off for about 20 years and who has spent the last 10 years in IT infrastructure, I can’t help but notice that the vast majority of tools that comprise a DevOps Circuit are Java based. From issue and bug trackers to code analysers and continuous build, test and deploy tools Java continues to be a ubiquitous technology within the Enterprise. This popularity is not without its costs and risks and those costs and risks are greatest in the area of security and patching.

I have discussed this problem at length in previous posts see: Cutting the Cost of Patch Management, Enter RASP and AppSecurity for Java and Cyber Threat Intelligence and for a full breakdown of the financial, temporal and lost opportunity cost of Java patching I direct readers to Waratek’s white paper Maximising the ROI of Cyber Security Strategy with RASP. For the uninitiated Runtime Application Self Protection (RASP) is a term championed by Joseph Feiman while he was a Research Vice President and Fellow at Gartner and refers to

Security technologies that are built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks

Waratek’s AppSecurity for Java is just such a technology is one of the more mature and effective enterprise ready RASP technology available today for Java. Simply deploying the DevOps and SDLC Java tools to AppSecurity has a positive impact on risks and costs, but the benefits are exponentially increased when one considers that application code is what is being propagated through the SDLC and AppSecurity for Java is therefore applying the benefits of RASP not just to the DevOps Circuit tools and the Java containers deployed to the PaaS, but also to every line of code being built, tested and deployed throughout the entire Enterprise SDLC. The ramifications for securing Java code, from genesis to realisation in production, constitute a paradigm shift in the way that Java is secured.

Did you like this post? If so please consider supporting my independent work through patreon or liking and sharing this post with your community.